4-16 Riverstone Networks RS 3000 Switch Router Getting Started Guide
Setting Up SNMP
Initial Configuration
By default, SNMP information is sent and received on the RS 3000’s en0 Ethernet port. If you want SNMP to use a
different port on the RS 3000, use the following command.
Here is an example:
SNMP will now use the port with IP address 134.152.78.192. Remember, to make this change permanent, enter the
save startup
command.
4.6.2
Improving SNMP Security
SNMPv1 is not a secure protocol. Messages containing community strings are sent in plain text from manager
application to agent. Anyone with a protocol decoder and access to the wire can capture, modify, and replay messages.
Applying ACLs to SNMP
When using SNMP v1 or v2, it is important to protect your RS 3000 by applying an Access Control List (ACL) to the
SNMP agent to prevent unauthorized access and route your SNMP traffic through trusted networks only.
Here are the basic configuration commands to apply an ACL to the RS 3000’s SNMP agent, allowing access to the
RS 3000 by only one management station.
The above ACL applied to the SNMP service allows messages from source IP address
<IPaddr>
to be processed by
the SNMP agent, packets form any other source IP address are dropped.
Disabling Authentication Traps
To provide additional security to the RS 3000, disable the sending of authentication traps. Authentication traps are sent
when SNMP v1 packets are received with invalid community strings. A common security attack on an SNMP v1 agent
is to send a message containing an invalid message, and then capture the authentication trap to learn the community
string.
Here is an example of how to turn off the sending of authentication traps:
snmp set trap-source <interface>|<IPaddr>
rs(config)# snmp set trap-source 134.152.78.192
rs(config)# acl mgmt_only permit udp <IPaddr> any any any
rs(config)# acl mgmt_only apply service snmp
rs(config)#snmp disable trap authentication